♥FWR Media Posted September 1, 2005 Share Posted September 1, 2005 Hi I'm seeing very odd redirects when I look at Tools/Whos online They are like this and there's loads of them .. oscommerce/redirect.php?action=url&goto=nextermest%2ecom I'm wondering if someone has hacked a script into the shop. Where does it go? go to .. http://nextermest.com Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Guest Posted September 1, 2005 Share Posted September 1, 2005 its possible. check your host's logs who uploaded what. There is an "antivirus" exe to d/l from that site I checked it with what I have but could not see anything with the a/v tools. could be spyware of course. seems suspicious the whois shows the site as "not active" Link to comment Share on other sites More sharing options...
♥FWR Media Posted September 1, 2005 Author Share Posted September 1, 2005 its possible. check your host's logs who uploaded what. There is an "antivirus" exe to d/l from that site I checked it with what I have but could not see anything with the a/v tools. could be spyware of course. seems suspicious the whois shows the site as "not active" <{POST_SNAPBACK}> I'm new at analysing raw logs .. obviously the vast majority are "GET" what am I looking for? Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
♥Vger Posted September 1, 2005 Share Posted September 1, 2005 Upload a new (default and unedited) root level redirect.php file. Delete the old one first. Set 'Use Cache' to false in your osC admin panel. Change the last line of both configure.php files to read 'mysql' where indicated. These last two will give your site some protection against infected files from other sites contaminating yours. The first one shoud remove any hack from the redirect.php file (if one exists). Last, but not least, check in your osC admin panel, under Tools --> Server Info which version of php your hosting company is running. If it's anything less than 4.3.10 (patched) then it is vulnerable to hacking. It does look like a hack. Vger Link to comment Share on other sites More sharing options...
RObW Posted September 1, 2005 Share Posted September 1, 2005 We are seeing the same activity - whos online shows the urls requested as: /catalog/redirect.php?action=url&goto=nextermest%2ecom Access Log shows: [01/Sep/2005:19:09:05 -0400] "GET /catalog/redirect.php?action=url&goto=ourwebsite.com/catalog/redirect.php%3faction=url%26goto=nextermest%252ecom HTTP/1.1" 302 38 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)" "osCsid=4314bf9cdeac687fa8585fe70d6c48ce" So it looks like they are trying to redirect from a redirect... probing for vunerabilities? Any greater php gurus out there able to work out if there is a vunerability that needs plugging? Cheers Rob Link to comment Share on other sites More sharing options...
♥FWR Media Posted September 2, 2005 Author Share Posted September 2, 2005 Thanks for the reply, I'm still confused however. Upload a new (default and unedited) root level redirect.php file. Delete the old one first. Why? if it's been altered i need to know how. Set 'Use Cache' to false in your osC admin panel. Already was set to false Change the last line of both configure.php files to read 'mysql' where indicated. I was already using database driven sessions. Last, but not least, check in your osC admin panel, under Tools --> Server Info which version of php your hosting company is running. If it's anything less than 4.3.10 (patched) then it is vulnerable to hacking. It does look like a hack. Vger <{POST_SNAPBACK}> I am using 4.4.0 Ultimate SEO Urls 5 PRO - Multi Language Modern, Powerful SEO Urls KissMT Dynamic SEO Meta & Canonical Header Tags KissER Error Handling and Debugging KissIT Image Thumbnailer Security Pro - Querystring protection against hackers ( a KISS contribution ) If you found my post useful please click the "Like This" button to the right. Please only PM me for paid work. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.